Host firewall rules with nftables for default deny networking

426 views

                  table inet filter {
  chain input {
    type filter hook input priority 0;
    policy drop;

    ct state established,related accept
    iif lo accept
    tcp dport { 22, 80, 443 } accept
    ip protocol icmp accept
  }

  chain forward {
    type filter hook forward priority 0;
    policy drop;
  }

  chain output {
    type filter hook output priority 0;
    policy accept;
  }
}

I prefer a default-deny stance and then open only what the host actually serves. nftables is flexible enough to express that clearly without giant unreadable rule sets. A short explicit policy ages better than a sprawling inherited firewall script nobody trusts.

Kai Nakamura

More from Kai Nakamura

Host firewall rules with nftables for default deny networking

0 Comments

More from Kai Nakamura